[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?

Verily I say unto thee, that Jesse Keating spake thusly:
> On Thu, 2009-11-19 at 10:32 -0600, Chris Adams wrote:
>> Once upon a time, Jesse Keating <jkeating redhat com> said:
>>> That is incorrect, unless somehow your ssh tunneled VNC registers as
>>> "local console login", which I doubt.  In your case, none of your users
>>> would be allowed to install software/updates.


Just reading the reference material now.

Is the policy:

-constraint local


--constraint selinux_context:system_u:object_r:some_context_t

Is there a URL to the default PolicyKit policy shipped in F12, so I can
review it?

In particular, I'm hoping to be able to re-roll the respective package
to lock down the policy, then respin F12 with that modified package, for
use on my network.

>> VNC looks like a local console login.
>> -- 
>> Chris Adams <cmadams hiwaay net>
>> Systems and Network Administrator - HiWAAY Internet Services
>> I don't speak for anybody but myself - that's enough trouble.
> Not according to what I'm being told by the Desktop folks, at least as
> far as PolicyKit and ConsoleKit are concerned.
> <Oxf13> hrm, in the world of PolicyKit and ConsoleKit, does a VNC login
> look like a "console" login for the sake of policy?
> <hughsie> Oxf13: no
> <hughsie> if you log in, then start remote desktop, and then allow other
> users to connect then it does
> <hughsie> if you're just using vnc to create a virtual desktop for users
> then it's not on_console, so to speak

Good. I'm doing the latter (headless server).

Keith G. Robertson-Turner

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]